Despite the many areas of uncertainty regarding the implementation of SCA, almost everyone agrees that consumers are likely to experience an increased number of authentication challenges as they shop online from September 2019 onwards. While this increased authentication volume is expected to drive down fraud levels across the EU payments industry, it has created significant concerns for eCommerce merchants. They are worried that increased friction at the point of purchase will drive up basket drop-out and many feel that they are bearing the brunt of the payments industry’s fraud problems.
Today most merchants have a choice whether to use authentication tools such as 3DS. This choice will disappear in September once the SCA mandates come into force. However, many large merchants do not currently use 3DS to create a smoother check-out and minimise basket drop-outs. Merchants take this approach despite the fraud risks and the liability shift they bear, strongly illustrating the importance attached to controlling the check-out experience.
In order to mitigate some of these concerns the European Union legislator created a range of exemptions to SCA within the Regulatory and Technical Standards. The role of the low value and recurring exemptions is relatively well understood and follows standard custom and practice within the cards world. White listing (trusted beneficiaries) remains a mercurial opt-out, which many industry participants believe may be an important part of the payment industry’s future but is unlikely to be a major opportunity to reduce shopping friction during 2019. This is because many issuers are struggling to meet the mandatory SCA requirements, and see white listing as a nice to have in the short term.
However, none of these exemptions is the subject of this blog… The area of focus here is the TRA exemption, and its impact on the signalling for and allocation of risk within the payment ecosystem.
TRA allows the merchant’s acquirer to exempt certain transactions from SCA in exchange for the acquirer taking on the risk of fraud. Acquirers are expected to assess transaction risk and decide if they wish to take on the liability for fraud. If acquirers do not want the liability, they can leave the risk with the issuer by enabling an authentication step-up, or by using one of the other exemptions. Acquirers will make this assessment using real time fraud tools and whatever additional information they have on the customer at the time. For more detail on the TRA exemption itself see our previous blog.
If the acquirer wishes to take on the fraud risk, they will need to present a transaction to an issuer with the associated TRA flag (currently being developed by the card schemes). The issuer is always the final arbiter of an authentication decision and can always request a step-up or decline. It seems likely that the most efficient way of presenting the TRA flag for an issuer decision will be at the point of authentication (i.e. via 3DS) rather than authorisation, as this should reduce transaction latency. If the issuer accepts the acquirer exemption, the transaction will be authorised without the associated authentication, the acquirer will take on liability, and bear the costs of any fraud.
Our hypothesis is that issuers should be more disposed to accept requests not to decline TRA flagged transactions because:
The implication of this approach is that issuers should see TRA flagged transactions as a low (arguably zero) risk signal from their acquiring counterparts and should thus be highly inclined to accept the exemption applied by the acquirer.
Whether this hypothesis turns out to be true we will just have to wait until Q4 2019 to see. It remains unclear at this stage how many issuers will be able to support their own TRA opt-outs or will even look for the relevant scheme TRA flags within incoming transactions.
The latest ING International Survey indicates Europeans are wary of new technology in banking, despite a high demand.
New technology, such as facial and voice recognition, is giving more options than ever before, but despite these advances, acceptance is far from complete with 65% of Europeans having never used fingerprint or voice recognition to log into their banks’ app.